Ultra Excel 97 Password Cracker v1.00 (c) 1999 Ivan Golubev
===========================================================


Contents
========

  Description
  Requirements
  Usage
  Template attack
  National languages support
  Performance
  Known bugs and limitations
  Future enhancements
  How to register
  Special thanks
  Technical support
  Where to get the latest version


Description
-----------

Ultra Excel 97 Password Cracker (or UE97PC) can be used to recover
passwords for Microsoft Excel 97 files. Here is brief list of UE97PC advantages:

  - UE97PC is a 32-bit application for Windows 9x/NT4.0.
  - UE97PC has a user friendly GUI.
  - UE97PC supports three types of attack: "brute-force", dictionary based
    and a mix of "brute-force" and dictionary based, called a template attack.
  - UE97PC is a fast program. On a K6-2-300 system its performance is about
    35 000 password tests per second.
  - UE97PC is customisable: you can set up the minimum and maximum password
    length, define the type of characters used in the password for a
    "brute-force" attack, and you can choose the method of modifying a test
    password from the dictionary file, for a "dictionary based" attack.
  - You can interrupt UE97PC at any time and save the current cracking status.
  - UE97PC shows you an estimate of the time remaining for a solution.
  - There is multi-lingual National language support, using simple text files.


Requirements
------------

To run this program you need:
  - A computer with running Windows 95/98/NT.
  - About 100 kilobytes of free hard disk space.


Usage
-----

After starting UE97PC, select the Task menu, choose New, then select
the Excel 97 file that you want to process. In the next dialog box
select the attack type to be used. 

If you have selected the "brute-force" attack, in the next dialog box
define the characters to use in the password search, and the minimum
and maximum password length. Then press the "Go" button.

If you have selected the "dictionary based" attack, in the next dialog box
enter the dictionary name and choose how to modify passwords found in the
dictionary file. Then press the "Go" button. The program automatically
recognises the line delimiter used in the dictionary file. It may be
DOS <CR/LF> or UNIX <LF> or just a <CR> delimiter.

For the "template attack" see the description below.

The program is now working. It shows the current status. You can see the
current password being tested, the average passwords tested per second,
and the estimated time to reach a solution. The status information is
updating every 5 (by default) seconds. At any moment you can interrupt the
cracking process by selecting the "Task\Stop" menu item. Also at any moment
you can save the current cracking status by selecting the "Task\Save" menu 
item. By default, UE97PC will save the current cracking status in a file with
an extension of .wpc, and with the same name as the Excel document file being
processed. You can open this file later and continue the cracking process
from the saved position.

If you think that your system is not stable you can use the autosave function.
Select "Options\Setup" and check "autosave every xx minutes". Note that if
you start a new task with autosave "on" then you will be asked for the status
filename when the autosave time comes (if you have not manually saved the
status previously).

Also you can change the time interval between status updates. However, we
recommend that the update time interval be 5 or more seconds; if it is less 
than 5 seconds the speed of execution of the program will decrease by between
1% and 3%.

If you think that UE97PC takes up too much space on the task bar you can select 
"Options\Setup\Minimize to tray".

When (if) UE97PC find a password it stops working and displays the results.
It shows the Excel document filename, the password for those files and the
password length. Also UE97PC saves the password in a file with the extension
.psw, into the same location as the Excel document.


Template attack
---------------

A "template attack" is a mix of "brute-force" and a dictionary-based attack. It
can greatly assist in the finding of a password if you know something about the
password. The main idea of a template attack is to subdivide the password using 
known information. Each part of a template may be either some character set
with a minimum and maximum length, or some word from a dictionary file. To 
understand how to use a template attack let's take some examples:

I. I remember that the password starts with two digits (but I don't remember
them), then I used from 3 to 5 lower case letters and maybe I used a special 
character at the end.

So I select template attack and describe the template as:
+----------+--------------+------------------------------+
| Position | Repeat Count |    Description               |
|          |  min  |  max |                              |
+----------+-------+------+------------------------------+
|        1 |   2   |   2  |   Digits (0123456789)        |
|        2 |   3   |   5  |   Lower case letters (abc...)|
|        3 |   0   |   1  |   Special symbols (!#$...)   |
+----------+-------+------+------------------------------+
Using this template UE97PC starting to generate password from 00aaa, 00aab,
00aac, ..., 00baa, ..., 12adef$, ..., 21ivan$, ..., up to 99zzzzz~.
This template will be processed much faster than a "brute-force" attack that 
uses character sets "digits" + "lower case letters" + "special symbols", and
with a minimum length of 5 and a maximum length of 8.

II. Ok, let's look at the standard keyboard layout:
 1 2 3 4 5 6 7 8 9 0 - = \
  q w e r t y u i o p [ ]
   a s d f g h j k l ; '
    z x c v b n m , . /

Consider the case where I remember that the password for a file is, for example,
"golubev".  Suppose I incorrectly typed the password, so that in fact "golubev"
is incorrect. Then, given that word, I know which parts of the keyboard I
originally pressed, (or I've watched how another person typed in a password :-)).
Using that incorrect password I can create the following template:
+----------+--------------+----------------------------+
| Position | Repeat Count |    Description             |
|          |  min  |  max |                            |
+----------+-------+------+----------------------------+
|        1 |   1   |   1  |   rtyfghcvbn               |
|        2 |   1   |   1  |   890iopjkl;               |
|        3 |   1   |   1  |   iopkl;m,./               |
|        4 |   1   |   1  |   678yuighjk               |
|        5 |   1   |   1  |   fghjvbn and space        |
|        6 |   1   |   1  |   234wersdf                |
|        7 |   1   |   1  |   dfgcvb and space         |
+----------+-------+------+----------------------------+
Using this template UE97PC can find such passwords as "go;ubev" or "holubwv".

III. Since I am smart enough not to password a file with only a simple word, 
I've used a more complex password, but I've forgotten that password! And,
because I am so smart, the password cannot be recovered by a simple 
dictionary based attack (even using all available modifiers).
However, I know that the password starts with from 2 to 3 digits, 
then I've used some simple word, and maybe I've used a special symbol at the
end. So, first I create a dictionary file of the likely words that I may have
used, (I don't know what word I've used but I try to anticipate it):
=================================================================
ivan
formula-1
f1
formula1
formula_1
password
UE97PC
computer
ok
ok computer
radio
head
=================================================================
I have called this dictionary file mydict.txt.

Secondly, I create the following template:
+----------+--------------+-------------------------------------+
| Position | Repeat Count |    Description                      |
|          |  min  |  max |                                     |
+----------+-------+------+-------------------------------------+
|        1 |   2   |   3  |   digits                            |
|        2 |   -   |   -  |   Word from "mydict.txt":           |
|          |       |      |   all upper/lower case combinations |
|        3 |   0   |   1  |   Special symbols                   |
+----------+-------+------+-------------------------------------+

UE97PC starts to work and after some time it finds the correct password
"91FoRmuLa-1$". Wow, it's not so good to be too smart :-)

I hope these examples will help you to understand how to use the
"template attack". But if you have some questions feel free to contact us.


National languages support
--------------------------

UE97PC can support national languages. There is a message file named UE97PC.lng
in the same directory as the program. You can replace this file with
another that contain messages in your national language.


Performance
-----------

  Here is a small table with testing results. 
+-------------------+-----------------------+
|    Computer/OS    | Passwords per seconds |
+-------------------+-----------------------+
| Cyrix PR233 Win98 |        25 000         |
| K6-2-300    WinNT |        35 000         |
+-------------------+-----------------------+


Known bugs and limitations
--------------------------
  <Empty>

Future enhancements
-------------------
  - Speed optimisation.
  - Support local network.
  - Your wishes.


How to register
---------------
Why you should register ....

Because,

  - your support helps the author make this program better.

  - you gain access to all the features of UE97PC. Being unregistered, UE97PC
    does not support passwords with a length exceeding four characters for
    a brute-force attack. Also, UE97PC doesn't support modifiers "All available
    combinations", "Reverse order" and "All available combinations in
    reverse order" for dictionary-based/template attacks.

Once registered you will receive your own registration number. After you
enter it in the Options/Registration dialog box, you will gain access to
all the features of UE97PC. Note that the registration number will be valid
for all future updates of UE97PC. Registration costs 30 US Dollars.

At this moment there are two ways to register:

1. The fastest way is to use a credit card. You can register UE97PC via the
"Register Now" option at :

	https://www.regnow.com/softsell/nph-softsell.cgi?item=1964-2

NOTE : The information you send about your card is in a very secure format.
       No one can read it other than credit card processor program.

2. You can transfer $30 direct to our bank account. If you want to use this 
method, tell us in what country you live and we will send you more detailed
information. But please note, there are taxes for bank transfers. The taxes
can be up to 100%!

If you cannot use either of these ways contact to us, and we'll try to find
another way.

You can contact us via e-mail at trooper@mail.wplus.net.


Special thanks to
-----------------
	Chris Gregory     who edited this file.


Technical support
-----------------
For technical support please contact :

	Ivan Golubev at trooper@mail.wplus.net
or
 	Denis Gladysh at m53group@chat.ru


Where to get the latest version
-------------------------------
The latest version of this program is available from our web pages at :

	http://members.xoom.com/m53group

or the Russian mirror

	http://www.chat.ru/~m53group

